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Abstract 

We investigate, in the Shannon model, the security of constructions corresponding to double 
and (two-key) triple DES. That is, we consider (Fk 2 (•)) and Fk 1 (F^ 1 (Fk 1 (■))) with the 
component functions being ideal ciphers. This models the resistance of these constructions to 
"generic" attacks like meet in the middle attacks. 

We obtain the first proof that composition actually increases the security in some meaningful 
sense. We compute a bound on the probability of breaking the double cipher as a function of the 
number of computations of the base cipher made, and the number of examples of the composed 
cipher seen, and show that the success probability is the square of that for a single key cipher. 
The same bound holds for the two-key triple cipher. The first bound is tight and shows that 
meet in the middle is the best possible generic attack against the double cipher. 
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1 Introduction 



A block cipher is a map F : {0, 1} K x {0, l} n — > {0, 1}™. Here k is the key size and n is the block 
size. Each K-bit key k induces a map F k (-) = -^(/c, •) : {0, l} n — > {0, l} n which is a permutation on 
{0, l} n . Let i 7 " 1 denote the inverse cipher, meaning F^ 1 (k, •) ^ f F^ 1 is the inverse map of F k (-). 
For example, DES is such a cipher with k = 56 and n = 64. 

It is common practice to compose ciphers in attempts to increase security. The result of com- 
position is a new cipher, with a larger key size but the same block size. Here are the two most 
popular mechanisms, corresponding, respectively, to double DES and (two-key) triple DES: 

• Double F, or the 2-cascade cipher: Db\-F : {0, 1} 2k x {0, l} n -» {0, 1}" is defined by 

DbkF felife2 (x) = F kl (F k2 (x)) . 

• Two-key triple F: Trp 2 -F : {0, 1} 2k x {0, l} n -> {0, 1}" is defined by 

Trp 2 -F fclifc2 (x) = F kl (F k2 \F kl (x))) . 

Let Op-F : {0, 1} K * x {0, l} n {0, 1}™ denote one of these, where k* = 2k and Op € {Dbl,Trp 2 }. 
What we want to know is: How good a cipher is Op-F? Has the composition and the increased 
key length actually bought us anything? 

Generic versus cryptanalytic attacks. There are several possible approaches to this ques- 
tion, depending on what kinds of attacks one wants to take into account. There are two main 
classes of attacks: 

• Cryptanalytic attacks: Like differential ||, f§ and linear || cryptanalysis 

• Generic attacks: Like exhaustive key search and meet-in-the-middle attacks. 

Generic attacks are, roughly, those that don't exploit the structure of the cipher, but work against 
any cipher, even an ideal one. More precisely, we define generic attacks as those that succeed in 
the Shannon model of an ideal cipher discussed below. 

The strength of specific composed ciphers like double DES against cryptanalytic attacks is not 
known; certainly, one does not expect a proof of such strength. The strength of the composed 
cipher against generic attacks, in contrast, can at least in principle be determined, by an analysis 
in the Shannon model, since it is a purely information theoretic question. However, the technical 
problems here are quite challenging; in particular, it is not even known that composition increases 
the strength of a cipher at all in this model. 

In this paper we tackle this question, analyzing, in the Shannon model, two-key based com- 
positions such as the above. We will prove upper bounds on the probability of "breaking" the 
composed cipher as a function of the "effort" invested by the adversary, with both terms in quotes 
to be properly defined. Our results are the first to show that cipher composition in the Shannon 
model actually increases security: the success probability of an adversary, as a function of her 
resources, is significantly lower than in the case of a single key cipher. For the double cipher our 
results are actually tight (optimal) and show that meet in the middle is the best possible generic 
attack on this cipher. We now define the model, and state our results, more precisely. 

1.1 The model 

We model F as an ideal block cipher in the sense of Shannon. This means F(k, •) is a random 
permutation on {0, l} n , for each k. More precisely, let PERM(n) be the set of all permutations on 
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{0, l} n . Then, for each Ac-bit key k, select, uniformly and independently, a map from PERM(ra), 
and assign this value. So F consists of 2 K maps, each a random permutation. 

Now, we want to ask how good is Op as a composition operator. How can we measure this? We 
do so in a strong adversarial model, which allows the adversary chosen plaintext attacks on Op-F. 
Furthermore, success for the adversary A does not mean she has to find the key: it suffices that A 
identify some "weakness" in the cipher. This means A should be able to detect any deviation in 
Op--Ffc*(-) from a truly random permutation, when k* is a random and hidden key for Op-F. 

Formally, give the adversary oracles for F, F~ l . (This models her ability to compute the original 
cipher at any points she likes.) Also give her an oracle we call E : {0, l} n — > {0, l} n , which can 
take one of two forms: 

• World 1: Set E = Op--FV(-) where k* £ {0, 1} K is a randomly chosen key for cipher Op-F 

• World 2: Set E = ir where ir is a permutation chosen randomly from PERM(n). 

Put the adversary A in one of these worlds, and ask her which one she is in. If she can't tell 
then Op-Fk*(-) is behaving like a random permutation, meaning it is good. Formally, define the 
advantage of A as Pi — P2, where Pi is the probability that A outputs 1 in world i £ {1,2}. (The 
probability is over the choice of the oracles in each case.) Call A a (q,t)- adversary if it makes at 
most t queries to the F, F~ l oracles and at most q queries to the E oracle. (Note in practice t is 
likely to be much larger than q since F, F -1 queries are just DES computations and E queries are 
plaintexts in a chosen plaintext attack. We always assume q > 1 since otherwise the advantage of 
the adversary is zero no matter what the construction.) Define 

Sec(Op, k, n, q, t) 

as the maximum advantage attainable by any (q, t)-adversary. This is the key quantity; it is a 
function we call the security of the operator Op. The question is to determine this function as 
accurately as possible. In particular we want to upper bound it as a function of the adversary 
resources q, t and the block cipher parameters k, n. 

Before stating the results we stress the power of the model. It allows chosen plaintext attacks 
on the composite cipher Op-F. Note it certainly captures common attacks like birthday attacks 
and meet-in-the-middle attacks, but also more sophisticated attacks which could be adaptive. 

Notice that the advantage of a (q, t) adversary in attacking the single key cipher F itself in this 
model (namely E = F^ for a random k bit string k in world 1) will be (at most) t/2 K . This is the 
mark we have to beat if we want to show that the composed cipher is stronger than the original 
one. 



1.2 The results 



It is known that the strength of the composed cipher is at least that of the first [1C], but prior to 
this work it was not known whether the advantage of a (q, t) adversary versus Dbl-F was any lower 
than its advantage versus the single key cipher F itself. Here we are able to show that composition 
actually increases security, in the ideal cipher model described above. 

The double key cipher. Recall that the double F cipher Dbl-F has 2k bits of key. Our main 

which says that Sec(Op, k, n, q, t) is at most t 2 /2 2K . 



result is Theorem 3.1 



Namely, no (q,t)- 

adversary attacking the double cipher can achieve an advantage greater than t 2 /2 2k . 

We also show this bound is essentially tight, due to (a variant of) the meet in the middle attack. 



Theorem A. 2 presents an adversary who runs this attack, and analyzes it to show that its advantage 
is within a small factor of t 2 /2 2n . 
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Figure 1: Secl(ir) (the upper curve) and Sec2(a;) (the lower curve) are, respectively, the maximal possible 
advantage obtainable by an adversary in breaking the single and double key ideal ciphers, respectively, as 
a function of x = log 2 (t), the logarithm of the number of cipher computations made. We are using a key 
length of k — 56. We see that Sec2 lies below Seel but they meet at 1. The text provides the exact formulas 
for these quantities. 

Note that the maximum possible advantage of an adversary attacking the double cipher case is 
the square of the maximum possible advantage of an adversary of the same resources attacking the 
original single key cipher. Thus, it is considerably smaller in most cases. (For example if k = 56 
and t = 2 45 then the former is 2~ 22 and the latter is 2 -11 . Or, looking at it another way, to achieve 
an advantage of 2 -11 against the double cipher you need at least 2 50 queries, while to get the same 
advantage against the single cipher you need only 2 45 queries.) To see the relation better, we plot 
in Figure [l] the maximal advantage t/2 K of an adversary in breaking the original single key cipher, 
and the maximal advantage t 2 /2 2K of an adversary in breaking the double cipher, as a function of 
x = log 2 (i). 

Notice that the upper bound on the advantage in the double key case hits one (meaning, the 
scheme can be broken) when t = 2 K . This is expected: that's the meet in the middle attack. Of 
course, that's the same point at which the advantage hits one for the original single key cipher. (In 
this case due to an exhaustive key search attack.) Thus, the "effective key length" of the double 
cipher is not more than that of the single one. That does not mean that security has not increased. 
Security is not a number, but a function of the resources invested, and our analysis and Figure |l] 
show that for values of t below 2 K the chance of breaking the double cipher is smaller than that of 
breaking the original one. 

The two-key triple cipher. We show that the same bound holds for the two-key triple cipher, 
meaning the advantage of a (q,t) adversary is bounded by t 2 /2 2k . This shows that here too there 
is an improvement in the security curve as a function of t. In this case our bound is tight for the 
case t ~ q but not tight in general. 

The m-FOLD cascade. The m-fold composition of cipher F is the cipher with key ki, . . . , k m 
defined by F^ : ,„ i i Cm = F^ o F^ 2 o • • • o F^ m . The techniques above extend to show that the advantage 
of an (q, t) adversary is at most t m /2 mK . This shows that the advantage grows more and more slowly 
as m increases. However, for m > 3 the result is not tight; we expect the 3-fold composed cipher 
to have an even greater strength than this indicates. Thus, we won't discuss this result any more 
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in this paper. 

The future. The analysis of the two key ciphers we present here is a start on a problem that 
appears to be quite technically challenging. In the future we would like to see tight bounds on the 
advantage for the m-fold composition for m > 3 and also for the two-key triple cipher in the case 
q « t, but the distance needed to get there seems quite large at this time. 



1.3 Related work 

The model used here is that of Kilian and Rogaway ||, who in turn built on Even and Mansour 



|0] , although the basic idea of course goes back to Shannon |13[] . 

Kilian and Rogaway || analyze Rivest's DESX cipher in this model and show it has a large ef- 
fective key length. If generic (or, as they call them, key search) attacks are the only concern, DESX 
is cheaper than Double or Triple DES, but DESX is just as vulnerable as DES to differential and 
linear cryptanalysis. The (apparent) strength of Double and two-key triple DES against cryptanal- 
ysis coupled with the proven strength against generic attacks seem to make a strong combination 
that is absent for DESX. 

The basic meet in the middle attacks are due to || |j~2| . Even and Goldreich provide some 
time-space tradeoffs for meet-in-the-middle attacks ||, and Van Oorschot and Wiener [14] reduce 
the space requirements. 

Even and Goldreich 1| had shown that the cascade of m ciphers is at least as strong as its 



strongest component. Maurer and Massey [ 10 1 argued that this result required restrictions in the 
model, and also showed that the cascade is at least as strong as its first component. Our work is 
the first to show that the cascade can be stronger than the original cipher. 

Our analysis builds on techniques of || and §. Applications aside, we feel that we are looking 
at a basic information theoretic question, namely the power of cascaded ciphers. 

A preliminary version of our paper appeard as [ffl. Material omitted there due to space restric- 
tions is included here. 



1.4 Discussion on Implications of our result 

What implications do these results have for the security of real ciphers like DES? This is a question 
that needs to be addressed with some care. After all, DES is not an ideal cipher. 

We are not claiming to have "proven Double DES" secure; that obviously is not a realistic 
possibility. Our results might be interpreted as saying that the existence of a generic attack against 
DES that is substantially better than the meet in the middle attack would imply that there are 
serious weaknesses in the random behavior of DES that so far has empirical support. 

The class of generic attacks is broad enough to be interesting, including meet-in-the-middle 
attacks and variants of it. But it does not include cryptanalytic attacks like differential or linear 
cryptanalysis, which exploit the structure of the cipher. However, one should note that at the 
moment the best attacks against Double and Triple DES are not the cryptanalytic ones, but the 
generic meet-in-the-middle attacks. And our results can be interpreted as ruling out improvements 
along those lines. 

The adversary resources we consider here are the number of cipher computations t and the 
number of available plaintext-ciphertext pairs of the attacked cipher available, q. These are the 
most basic resources, and also the natural ones to consider in an information theoretic setting. One 
might attempt to consider other resources like space (e.g. when it is small compared to the number 
of queries), or make a distinction between parallelizable and sequential computations. Addressing 
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these issues would change the nature of the problem to the point where it is difficult to see how it 
might be treated by techniques similar to the ones we use. 

1.5 Organization 

The double cipher analysis is in Section [||. There we state and prove the upper bound. In 
Appendix [A] we present the meet in the middle attack analysis that shows the upper bound is 
tight. The analysis of the two- key triple cipher is in Appendix |B|. 

2 Definitions 

General. We use standard notation for expressing probabilistic experiments and algorithms. 
Namely if S is a probability space then x <— S denotes the operation of drawing x at random 
according to distribution S. If S is a set we use the same notation with the understanding that S 
is imbued with the uniform distribution. If S is not a set or probability space (in particular if x is 
a string or function) then x <— S is simply an assignment statement. 

Block ciphers. For an integer n > 1 let PERM(re) denote the set of all maps ir : {0, l} n — > {0, l} n 
that are permutations, meaning both one-to-one and onto. A function F : {0, 1} K x {0, 1}™ — > {0, l} n 
is a block cipher if for each key k G {0, 1} K , the function F(k, ■) : {0, l} n — » {0, l} n is a permutation 
on {0, l} n , meaning a member of PERM(n). Here, n is the block length of the cipher and k is the 
key length of the cipher. Think of F as a 2 K by 2 n table, with entry (k, x) containing F(k, x). Each 
row is a permutation of {0, 1}™. For convenience, define F k : {0, l} n — » {0, 1}™, for each k G {0, 
by F k {x) = F(k,x). This is the permutation in the k-th row. Although the function F does not 
have an inverse function, it does have a well defined inverse block cipher. When it is clear from 
context that F is a block cipher then we will let F^ 1 : {0, 1} K x {0, l} n — » {0, l} n denote the block 
cipher inverse of F, defined as follows: F^ 1 (k,y) = F^ l (y). That is, F~ 1 (k,y) = x iff F(k,x) = y. 

Let BC(k, n) denote the set of all block ciphers with key length k and block length n. This is 
viewed as a probability space under the uniform distribution. Thus F <— BC(re, n) means that i* 1 
is selected according to the following experiment: 

for all k G {0, 1} K do F(Jb, •) <- PERM(n). 

Operators: Double and triple. We are interested in transformations, or operators, which 
map one block cipher to another. In general such an operator is a map Op taking a block cipher 
F G BC(/«, n) and returning another block cipher, which we denote by Op-F, and which belongs to 
BC(k*,u*) for some values of K*,n* that depend on k, n and Op. (In this paper it will always be 
the case that n* = n.) We now define the two central operators for this paper. 

The double composition operator Dbl : BC(k, n) — > BC(2ft,n) is defined by Dbl-i ? fc 1 fc 2 = F^oF^. 
In other words, Db\-F(k\k2, x) = F(k±, F(k2,x)) for every ki,k2 G {0, 1} K and every x G {0, l} n . 
The two key, triple composition operator Trp 2 : BC(/t,n) — > BC(2k, n) is defined by Trp 2 -Fk 1 k 2 = 
F kl oFfa°F kl . In other words, Jrp 2 -F(kik 2 , x) = F(ki, F~ l {k 2 , F(ki, x))) for every fcj, £ {0, 1} K 
and every x G {0, l} n . Note both these ciphers have key length twice that of the original cipher. 

Security. We will be considering the security of these operators. The setting for security is the 
following. Consider an adversary algorithm A which has access to three oracles, E,F,F _1 , where 
F G BC(/«, n) and E : {0, l} n — > {0, l} n . It computes with them and eventually outputs a bit. This 
computation is adaptive. This means that it makes queries to oracles as it pleases, choosing these 
queries as a function of answers to previous queries. We represent A J s output when interacting with 
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these oracles by A E ' F,F . (Since we will not restrict the computational power of the adversary A, 
it is without loss of generality deterministic, and hence this output is uniquely defined once A, F, E 
are fixed.) If the oracles that A interacts with are chosen according to some distribution then A's 
output will be a random variable over {0, 1}. We let 

Succ A (K,n) = Pr [ A E ' F ' F ^ = 1 : F <- BC(/c, n) ; E «- PERM(n) 

denote the success probability of A in the "ideal world" (called world 2 in the Introduction) where 
E is a random permutation independent of the cipher F. On the other hand, if Op : BC(k, n) — * 
BC(/c*,n*) is an operator then we let 

Succ A (Op, k, n) = Pr [ A E ' F ' F ~ X = 1 : F <- BC(k, n) ; k* <- {0, ; i£ «- Op-F fc * . 

In other words, having selected F, apply the operator to it to get a new cipher F* = Op-F. Now, 
choose at random a permutation E of this cipher, by choosing a key k* and setting E to Ft* . (This 
was called world 1 in the Introduction.) Now let 

Adv A (Op, k, n) = Succ A (Op, k, n) — Succ A (ft,n). 

This is the the advantage of A in breaking the Op induced cipher. To measure the quality of a 
particular operator Op (eg. Dbl or Trp 2 ) we want to upper bound the advantage in terms of the 
resources used by the adversary, meaning the number of queries it makes to its oracles. We call a 
query to the E oracle an i?-query; a query to the F oracle an F query; a query to the F~ l oracle 
an i* 1-1 query. Typically the number of -E-queries is denoted q, while the sum of the number of F 
and F~ 1 queries is denoted t. The security of the operator Op is then given by 

Sec(Op, k, n, q, t) = max Adv A (Op, k, n) , 

where the maximum is taken over all adversaries A who make at most q -E-queries and at most t 
F/F~ l queries. Thus our goal will be to bound Sec(Op, k, n, q, t) in terms of q,t,K,n for the two 
ciphers we are investigating, namely Op = Dbl and Op = Trp 2 . 

We stress that this bound will apply to any adversary. No assumptions are made about the 
strategy followed by this adversary other than that it is limited to the specified number of queries. 



3 Security analysis of the double cipher 

In this section our goal will be to determine the security of the doubly iterated ideal cipher. In 
other words, we want to estimate, as accurately as possible, the value of Sec(Dbl, K,n, q, t), as a 
function of the cipher parameters k, n and the adversary resource bounds q,t. The following is the 
main theorem, which provides an upper bound on the security. It says that the advantage of any 
adversary A attacking the doubly iterated ideal cipher is at most t 2 /2 2k , regardless of the strategy 
used by this adversary. 



Theorem 3.1 For any K,n,q,t > 1 it is the case that 

Sec(Dbl, k, n, q, t) < 



t 2 



2 2k ■ 



Notice that the bound depends only on the number t of F/F^ 1 queries made by A, and the key 
length k of the cipher; it does not depend on the number q of -E-queries made by A or the block 
length n of the cipher. This reflects the reality. In fact our result is essentially tight; more precisely, 
the bound above is tight up to constant factors as long as q is not too tiny. This is established by 



Theorem A. 2 where we show that an appropriate adaptation of the standard meet in the middle 



attack enables an adversary to obtain an advantage close to that of the upper bound. 
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The rest of this section will be devoted to a proof of Theorem 3.1 

-l 



makes at most q E queries and at most t F/F 



We fix an adversary A who 
queries. We want to show that Adv^Dbl, K,n) < 



t 2 /2 . We will first introduce some terminology. 



3.1 Preliminaries 

The probability spaces. We consider two "games." Each consists of running the adversary 
with its oracles chosen according to some probability space. Probability Space 1 is that of the 
experiment defining Succ/i(Dbl, n, n). Namely, the underlying experiment is: 

F <- BC(/e, n) ; k{ <- {0, 1} K ; k* 2 <- {0, 1} K ; E <- o F fc . , 

and Game 1 is to just run A E,F,F 1 and reply to its oracle queries according to the functions 
E, F, F -1 chosen by the experiment. Now, the experiment defining Probability Space 2 is 

F <- BC(k, n) ; ArJ *- {0, 1} K ; A£ <- {0, 1} K ; -E < — PERM(n) . 

In Game 2, we just run A E,F,F 1 and reply to its oracle queries according to the functions E, F, F~ l 
chosen by the experiment. Notice that in so doing, we completely ignore the two keys k*,^; the 
responses to oracle queries do not depend on these at all. Thus, the output of A in Game 2 is 
exactly that in the experiment defining Succ^(k, n). The extra keys we have created will be used 
only in the analysis. We let Pri [•] denote the probability under Probability Space 1, and Pr2 [•] 
that under Probability Space 2. 

Quantities involved. Since we are not limiting the computing power of the adversary, we may, 
without loss of generality, regard it as deterministic. We may also assume it makes exactly q 
E queries and exactly t F/F~ l queries, and that no query is ever repeated. When the oracles 
E, F, F -1 are fixed, the sequence of queries by A and responses by the oracles is determined. We 
view it as a game in which the adversary and the oracles alternate moves; one query followed by 
a response is a round, so each round has two moves, the first by the adversary, the second by the 
oracles. There are q + t rounds. We will be referring to the following quantities: 

Mvs = The set { 0, 1, . . . , 2(q + t) } whose members will be used to index moves of 
the game. 

OdMvs = The set of odd numbers in Mvs, corresponding to question moves. 
EvMvs = The set of even numbers in Mvs, corresponding to reply moves. 

It is technically convenient to include in these sets even though there is no 0-th round or move. 
Furthermore we use the following notation: 

qi : For i G OdMvs, the query in the i-th move. It is of the form (x, *), 
(k, x, *), or (k, *, y) which are queries to E, F, and F~ , respectively. 

r, : For i G EvMvs, the reply in the i-th move. For i > it is (x, E(x)), 
(k, x, Fk(x)), or (k , FfT 1 (y) , y) , corresponding, respectively, to the 
query (ft-i; for i = it is the empty string. 
VieWj (A E,F ' F 1 ) : For i € Mvs, the view of the adversary after i moves; this is 
9iT2 • • • Qi-ifi if i > is even; q\T\ . . . Ti-\qi if i is odd; and the 
empty string if i = 

View^W 1 ) : View^)^^' 1 ). 

Note the adversary's output bit is some deterministic function of the last view. We call the keys 
chosen in the games the crucial key pair. Our analysis will focus on whether or not this 
key pair is "eliminated" by a current view, and what is its distribution from the point of view of A 
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if not. So let Vi represent a possible view after i moves of the game. We consider two sets of key 
pairs, the "seen key pairs" (SKP) and the "remaining key pair" (RKP): 

SKP(fj) : A key pair k\,k2 is in SKP(fj) if there are two queries q and q' in Vi such 
that q is an F-query or F^ 1 query with key k\ (i.e., a query of the form 
(k\,x, *) or (ki, *,y), respectively), and q' is an F-query or F^ 1 query with 
key &2 (i.e., a query of the form (&2,x, *) or (k2,*,y), respectively). 

RKP(ui) = ({0, 1} K x {0, 1} K ) - SKP(^) 

Note that SKP(wj) depends only on the queries in Vi and not on the replies. That is, SKP(wj) = 
SKP(«j + i) for i G OdMvs. If A knows that F^ 2 {x) = y and i^ 1 (y) = z and has also made the E 
query x then it can with high probability eliminate {k\, A^) as a candidate for the crucial key pair. 
Intuitively, we might think of the key pairs (ki^ki) G SKP(w) as being "eliminated". (Of course, 
they might not be eliminated, but we can't be sure, so we count them out.) Thus RKP(wj) captures 
the set of remaining key pairs associated to any view. These are the key pairs (feijfo) so that at 
least one of them has not been in either an F or an F~ l query. Note the key pair is not considered 
"eliminated" if one of its components has been in a F/F^ 1 query: both have to have been in such 
queries to "eliminate" the pair. 

The current view vi contains some number of F or F~ l queries on a particular key k. This 
effectively "opens up" the corresponding spots in row k of the F table, in the sense that in the 
randomly chosen F table, these entries become known to the adversary. Similarly for £7-queries. 
We let 

F-Qrs(i>j, k) = The set of all y such that there are responses in vi of the form (k, x, y). 
E-Qrs(wj) = The set of all y such that there are responses in vi of the form (x,y). 

The random variables. Under the random choice of E, F, F~ l made in the probability spaces 1 
and 2, the above discussed quantities become random variables. Here are some random variables 
we will need to refer to explicitly: 



Qi 

Ti 
Viewj 
View 

Ui.,- 



Takes value qi, the i-th query, for i £ OdMvs. 
Takes value r^, the i-th reply, for i <G EvMvs. 
Equals Qj if i is odd and Rj if % is even. 
Takes value Yiew i (A E ' F ^ 1 ), for i G Mvs. 
Takes value View(A E ' F ' F ' 1 ). 
Equals Tj . . . Tj 



The bad event. We also define a central event: 

BADj : For % G Mvs, event BADj is said to happen if the crucial key pair (k^, k^) is 
seen, that is, (k*,^) <G SKP(Viewj). 

In other words, the crucial key pair is "eliminated". Whether a particular key pair has been seen 
only depends on the queries of A and thus BADj = BADj + i for % G OdMvs. We let BAD be BAD 2 ( 5+t ) , 
meaning it captures whether the bad event happened at the end of the game. 

3.2 Proof outline 

A very rough cut at the idea of the analysis is that as long as BAD has not happened in probability 
space 1, the answers coming back to oracle queries there "look random" and so probability space 1 
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looks like probability space 2. We can then bound the advantage by the probability of the bad 
event. 

This is overly simplistic. It is also incorrect. One should first note that even if the bad event fails 
to happen in game 1, that game will not look like game 2; there are events that have probability one 
in the latter and zero in the former. In fact, we need to condition on the bad event not happening 
in both probability spaces. 

We will show that the conditional probability of a particular view given that bad has not 
occurred is the same in the two games. To show this we will be forced to show something stronger 
as stated in the lemma below. 

Lemma 3.2 Let i £ Mvs and let vi be a possible view of the adversary after the i-th move. Then 
for all < s < 2(q + t)-i, 



Pri [ Viewj = Vi | bad.; +s ] = Pr2 [ Viewj = V{ | bad 



i+s 



The proof of this lemma is postponed until later. Since the final decision of the adversary depends 
only on its view, the distribution of the adversary's decision is the same in the two games as long 
as the bad event has not happened. Thus, a corollary to the above lemma is 



Pn 



A E,F,F-1 = 1 | bad] = p r2 lA^F- 1 = 1 I BAD] . (1) 



Less obvious is that Lemma 3.2 will also be needed to show that the probability of the bad event 
is the same in both games. To show this we need to prove something a bit stronger: we need to 
show that the equality holds at any stage. This is stated in the lemma stated below. 

Lemma 3.3 For all i = 0, . . . , 2(q + i), 

Pri [ BADj ] = Pr 2 [ BADj ] . (2) 



The proof of this lemma is also postponed until later. Lemmas 3.2 and 3.3 can be used to bound 
the advantage of the adversary by the probability of the bad event. 

Lemma 3.4 AdvA(Dbl, k, n) <Pr 2 [BAD]. 

Proof of Lemma |3.4j : The lemma is shown using the following straightforward calculation. We 
suppress the superscripts of A E,F,F for clarity. 

Pri[A = l]-Pr 2 [A=l] 

= Pri [ A = 1 | bad] • Pri [bad] - Pr 2 [A = 1 | bad] • Pr 2 [bad] 

+ Pri [ A = 1 | bad ] • Pri [ bad ] - Pr 2 [ A = 1 [ bad ] • Pr 2 [ bad ] 
= (Pri [ A = 1 | bad] -Pr 2 [A = 1 | bad]) • Pr 2 [bad]) 

+ (Pri [ A = 1 | bad ] - Pr 2 [ A = 1 | bad ]) • Pr 2 [ bad ] 
= (Pri [ A = 1 [ bad ] - Pr 2 [ A = 1 | bad ]) • Pr 2 [ bad ] . 

The second equality follows by Lemma 3.3. The last equality follows by Equation (ffl). | 



Of course, since the probability of the bad event is the same in both probability spaces we could 
have bounded the advantage by the probability of the bad event in probability space 1. However, 
calculating the probability of the bad event is very easy in probability space 2 as can be seen below. 
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Lemma 3.5 Pr 2 [BAD] < t 2 /2 2K . 

Proof of Lemma |3.5| : This is straightforward, since in Game 2, no information about the keys 
(k*, k^) is given to the adversary. The bad event depends only on the number of F and F^ 1 queries, 
and in the worst case all the t such queries are made to different keys. Then the chance that k^ is 
in any query is t/2 K , and the same, independently, for k£, so the bound holds. I 



Clearly, Lemmas |3.4| and p.5| imply Theorem |3.l| . This completes the outline of the proof of 
Theorem 3T. To complete the proof we must prove Lemmas 3^ and |3.3| . 

To do so we will first need a sequence of three lemmas, Lemmas p.6|, 
these will be used in the proof of Lemma |3.2|. Lemma I 



and 3.8. The last of 
6| will again be used to prove Lemma |3.9| on 



the conditional probability of the crucial key pair. Lemma 3.£ will then be used with Lemma 3.2 



to prove Lemma 3.3 



3.3 Distribution of replies in the next round 

In Game 2, given the view Vi at any point, the distribution of the answer to the next oracle query 
is, clearly, uniform, over the remaining range; for example, the answer to an I?-query is uniform 
over {0,1}™ - E-Qrs(vi). 

The first lemma will say this is true for Game 1 too, as long as the bad event does not happen. 
However, we will need to say this in a strong sense. Namely, fix any key pair that has still not been 
"eliminated". Conditioned on this being the crucial key pair, as well as on the current view, the 
distribution of the answer to the next oracle query is still "as it should be," meaning uniform over 
whatever possibilities remain. Note we must show this for all types of queries: E, F and F^ 1 . 

Lemma 3.6 Let j G {1,2} and i G OdMvs. Let Vi = q\r 2 ■ ■ .qi-2 T %-\ ( li be a possible view of the 
adversary just before the answer to query qi is obtained. For any string r^x G {0, l} n and all 
G RKP(vi\\r i+1 ), 



Pr ; [R 



i+l 



l 



(kj,k* 



Vi 



|E-Qrs(t>i)| 



2 n 




|F-Qrs(fc, V{ 



= (k\, k 2 ) A Viewj 
if qi is an E'-query and r^+i G" E-Qrs(fj) 
if qi is an F or F^ 1 query with key k and r^+i G" F-Qrs(&, v% 
otherwise. 



In particular, the value depends neither on j nor on (k\, k 2 ) 



Proof of Lemma 3.6: This is clear for Game 2, ie. for j = 2. The proof is devoted to showing 
it also for Game 1, ie. for j ' = 1. 

Let Vi + i = ViTi + i. We fix a particular key pair (ki,k 2 ) G RKP(uj-fi). Assume Viewj = Vi, and 
assume (k*, k^) = (k\, k 2 ). Note this implies that bad.; + i holds. Now consider three cases. 

Case 1: qi is an E-quevy. 

We want to show that Ri+i is equally likely to be any string not yet returned as an answer to an 
S-query. The danger is that F or F~ l queries have been made to at least one of the crucial keys 
k±,k 2 , and this is giving some information about F^ o F^ 2 in addition to that from the E queries. 

However, this won't happen. This can be seen as follows. We know that BADj + i holds, which means 
either k\ or k 2 has never been in any F or F^ 1 query of the adversary. This means that i 7 ) Cl o Fk 2 , 
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being the composition of two permutations with one random, is random from the point of view of 
the adversary. (The probability here is over the choice of the cipher F, which assigns a random 
permutation to each key.) Of course the adversary has partial information about i*L o F^ 2 in the 
form of replies to previous -E-queries, but this gives no information on the value of any remaining 
one except that it will not be one already seen. 

Case 2: q^ is an F-query. 

Let k be the key in the query. If k {k\, k 2 } it is clear that the response to the query is randomly 
distributed over {0, l} n — F-Qrs(fc, Vi) just by the random choice of F in the experiment. So suppose 
k = ki where I E {1,2}. Now, the danger is that E queries yielded some information about Fk 
in addition to the queries made directly to key Fk, so the adversary will have some advantage in 
predicting a new value on Fk- 

However, this will not be true. This can be seen as follows. We know (ki,k 2 ) £ RKP(t>j + i), which 
means that either k\ or k 2 has not been in any F or F~ l query up to and including the query in q, L . 
Let ir = Fk x o Fk 2 ■ As the composition of two permutations, one of which is random, it is random 
from the point of view of the adversary. Then Fk = F^ = ir o Fj^ if I = 1 and Fk = F^ = Fj^ o ir 
if I = 2. In either case, Fk is the composition of two permutations, one of which is random from 
the point of view of the adversary, and hence the response to an F query on key k will return a 
value distributed uniformly over {0, l} n — F-Qrs(/c, v{). 

Case 3: qi is an F _1 -query. 

The proof that the response to the query is uniformly distributed over {0, l} n — F-Qrs(£;, V{) is 
similar to the case above. I 



The above lemma shows that for a fixed partial conversation Vi where i 6 OdMvs, and fixed pair 
of keys k\,k 2 such that BADj is true (i.e., (ki,k 2 ) € RKP(uj)), all the answers n+\ which continue 
to keep the partial conversations from being "bad" (i.e., (ki,k 2 ) £ RKP^ri+i)), have the same 
probability in each probability space. We will use this lemma to prove an extension of this. Namely, 
for a fixed partial conversation V{ and fixed pair of keys k\,ki such that BADj is true, all further 
move sequences which continue to keep the partial conversations from being "bad" have the same 
probability in each probability space. We state this formally below. 

Lemma 3.7 Let j E {1,2}. Let Vi be a possible view of the adversary after move i € Mvs, and 
let 1 < I < 2(q + 1) — i. For any possible extension Ui+i t i+e of Vi by I moves, and for any key pair 
(ki,k 2 ) G KKP(vi\\u i+ i )i+t ), 

Pij [ = u i+ i ti+ i I (k*, kj) = (fci, k 2 ) A Viewj = Vi } 

depends neither on j nor on (ki,k 2 )- (That is, it depends only on V{ and ^+1^+^.) 



Proof of Lemma 3.7: We will prove this by induction on I. The base case is I = 1. In this case 
the lemma is clear when i + 1 = i + ^is odd, because in this case n^+i^+i is a query, which is a 
function only of A and Vi. In the case oii + l = i + £ being even, ui+x j+i is the response Rj+i, and 
we can apply Lemma |3.6| . 

Now assume that the lemma is true for i = s. We want to establish it for I = s + 1. Again, this is 
trivial if i + s + 1 is odd, because then the extension is a query, uniquely determined given ViUi+\ : i+ a 
and A. So assume i + s + 1 is even. Let Ui + \^ +s+ \ = u,i + i^ +s ri +s+ i and Vi +S = ViUi+n +s . We 
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assume that (&i,fc 2 ) £ RKP^i^i+i^+s+i)- We can write 

Pij [ \J i+ i, i+s+1 = u i+ i :i+s+1 | (kj, k£) = (fci, fc 2 ) A Viewj = Vi 
Pr, [ R i+s+ i = r i+s+ i | (kj, k£) = (fei, fc 2 ) A View i+S = 

•Pr^ [ Ui + i 5 j +s = u i+M+s | (k*, kg) = (fci, fc 2 ) A Viewj = ] . 

The first factor depends neither on j nor on (fci, fc 2 ) by Lemma [D]. The second factor has the same 
property by induction. | 



We now use the above lemma to prove a generalization of Lemma 3.6 which we will need subse- 
quently. 

Lemma 3.8 Let j £ {1,2} and i E OdMvs. Let V{ = q\r<i . . . qi-2 r i-iQi be a possible view of 
the adversary just before the answer to query is obtained. For any string rj+i € {0,l} n , all 
(fci, k 2 ) £ RKP(wj||r i+ i), and all < s < 2(q + t)-i, 

P^ [ R i+1 = r i+1 | (k*, kg) = (fci, fc 2 ) A View; = Vi A RAD i+s ] 

depends neither on j nor on k±, fc 2 . (That is, it depends only on and rj+i and s.) 

Proof of Lemma |3.8|: First suppose s = 0. The conditioning on BADj is redundant; this event 



will be true because (ki, & 2 ) € RKP(t;j||rj + i). Thus the claim is true from Lemma 3.6 . 
So assume s > 1. The probability in the statement of the lemma can be written as 

Prj [ R m = rj+i A BAD i+s | (kj, k?j) = (fci, fc 2 ) A View^ = Vi } 
Pvj [BAD i+s | (kj, k$) = (fci, fc 2 ) A View; = Vi ] 

The denominator can be written as 

[ Uj + i ji+s = Uj +M+S | (kj, kg) = (h,k 2 ) A View; = ^ ] 



where the sum is over Uj.fi such that (fci,A; 2 ) £ RKP^itj+i^+s). By Lemma 3.7 each term of 



this sum has a value that depends neither on j nor on (k±, fc 2 ). The numerator can be written as 
^Ptj [Ri +1 [} i+ 2,i+ s = r i+1 Ui + 2,i+ s | (k*,ka) = (ki,k 2 ) A Viewj = Uj ] 



where the sum is over Uj +2j j +s such that (fci,fc 2 ) € RKP(t)jrj + inj +2 ,j+s)- By Lemma |3.7| each term 



of this sum depends neither on j nor on (ki, fc 2 ). This completes the proof of the lemma. | 



Proof of Lemma |3.2| : The proof will be by induction oniG Mvs. The base case of the induction 
is when i = 0, and in this case the lemma is trivially true because the view is by definition the 
empty string. So assume the statement of the lemma up to move i. We will prove it for % + 1. Fix 
an arbitrary s > 0. 

First consider the case where i £ EvMvs, meaning the last move in Vi is a reply. Let qi + \ be 
arbitrary. Then: 

Prj [ Viewj+i = Viq i+ i j BAD i+1+s ] 
= Pr-,- [ Viewj = V{ | BAD i+ i +s ] • Pij [ Q i+1 = q i+ i | View; = vi A BAD;+i +s ] . 
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First, look at the first factor. Since s > by assumption, then s + 1 > 0, and therefore the first 
term is the same for j = 1 and 2 by induction. Next look at the second factor. A's query is just 
dependent on A and on Vi, the view so far. Thus, the probability is the same for both j = 1 and 
j = 2. (And is equal to except possibly for one value of qi+\.) Therefore, the product of the two 
probabilities is equal for j = 1 and j = 2, for all s > 0. 

Next consider the case where i G OdMvs, meaning the last move in V{ is a query. Let G {0, l} n 
be arbitrary and let Uj+i = Viti+\. Then: 

Pr, [ View i+ i = Vir i+1 \ bad ;+ i +s ] 
= Pr,- [ Viewj = Vi | BAD i+ i +s ] • Pr, [ R i+ i = n+i | Viewj = Vi A BAD i+ i +s ] . 

Consider the first factor. Since s > by assumption, then s + 1 > 0, and therefore, by induction, 
the first term is the same for j = 1 and 2. The second factor is equal to: 

Pj{ki,k 2 ) ■ qj{h,k 2 ) 

(ki,k 2 ) 

where the sum is over all (k±, k 2 ) G {0, 1} K x {0, 1} K and we have set 

Pj(ki, k 2 ) = Prj [ Rj + i = r i+ i \ (k\, k* 2 ) = (k 1 , k 2 ) A View^ = Vi A BAD i+ i +s ] 
qj(h,k 2 ) = Ptj [ (k*, kg) = (h,k 2 ) \ View.; = v { A BAD m+s ] 

We start by examining the first factor, namely Pj(ki,k 2 ). By Lemma |3.8| , for all {k\,k 2 ) ^ 
SKP(vj+i), this probability is the same for both j = 1 and 2, and independent of (k\,k 2 ). Call 
this value p. On the other hand for (ki,k 2 ) G SKP(t>j + i) we have Pj{k\,k 2 ) = because of the 
conditioning on BAT>i + \ +s . Thus the above sum reduces to 

P' Qj(ki,k 2 ) 
(ki,k 2 ) 

where the sum is over all (k±, k 2 ) G RKP(uj + i). We claim that this range is over all the nonzero 
values of the probability and thus the sum is equal to 1. To see this, note that qj(ki,k 2 ) is equal 
to for (ki, k 2 ) G SKP(u i+i). This completes the induction and the proof of Lemma |3.2|. | 



The remaining task is to prove Lemma [3^ which states that the probability that the bad event 
occurs is the same in both probability spaces. To do so we will first prove the following lemma 



about the distribution of keys. The proof of this lemma will use Lemma 3.2 which, recall, states 
that the probability of a given query and response (which are not bad) for a fixed partial view and 
a fixed pair of keys (which are not bad) is the same in both probability spaces. 



3.4 Equi-probability of unseen keys 

A crucial lemma is that in Game 1, as long as the bad event has not happened, if adversary has 
a particular view, then any "un-eliminated" key pair is equally likely to be the crucial key pair. 
Without this, it might be that the adversary's chance of hitting the crucial key is better in Game 1 
(given the bad event fails) than in Game 2 (given the bad event fails). To simplify notation, for 
j G {1, 2} and V{ let 

Prj >4 [ • ] = Pr 3 - [ • | Viewi = v { A BADj ] . 
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Lemma 3.9 Let j € {1,2}. Let Vi be a possible view of the adversary after move i G Mvs. Let 
(h,k 2 ) G RKP(«i). Then 

Pr 7 ' „. [ (k?, kn) = (ki,k 2 ) ] = - t X — —- . 

3,v t IV 1, 21 VI, i) RKP(«i)| 



Proof of Lemma |3.9| : This is clear in Game 2, ie. for j = 2. The proof is devoted to showing 
the claim in Game 1, ie. for j = 1. The proof will be by induction on the move number i G Mvs. 
The base case is i = 0. In this case no queries have been made so the adversary has no information 
about (k*, k^), and all possible pairs of keys remain equally likely, so the claim is true. So, assume 
the lemma statement is true up to move i G Mvs where i < 2(q + 1). We will prove it for i + 1. 

Let Vj+i = V{T where r = c^+i is a query if i is even and r = r,+i is a reply if i is odd. Assume 
(ki, k 2 ) is some key pair. Consider the quantity 

Pri,, i+1 [(kJ,k|) = (A ;i ,fc 2 )]. (3) 
Claim 1: The quantity of Equation (|3|) is zero if {k\, k 2 ) RKP(i>j+i). 

Proof of Claim 1: This is because Pr lt ,. +1 [•] conditions on BADj +1 , meaning we know BADj + i did 
not happen. □ 

Claim 2: Let (k\, k 2 ) be any key pair in RKP(wj + i). Then the quantity of Equation (S) has a value 
that depends only on Wj+i, and not on (k\, k 2 ). 

We will prove Claim 2 below. The two claims together imply that the only possibility is that for 
all (h,k 2 ) eRKP(v i+1 ), 

PrwUkJ.kS) = (**,*&)] = Vr 

|RKP(wj + i)| 

Thus the induction would be completed. 

Proof of Claim 2: Recall Tj + i = Qj+i if % is even and Tj + i = Rj+i if i is odd. Expand the quantity 
of Equation ([|): 

Pri,«H-i I ( k l» k 2) = ih, k 2 ) } = Pr 1)Vi [ (kj, k|) = (fa, k 2 ) | Ti+i = t A BAD i+ i ] 
and then apply Bayes rule to get: 

Pr 1>Vi [ J l+1 = r A bad 1+1 | (kj, k^) = ( kl , k 2 ) ] ■ P^ ; [(k^^) = (^ 2 )] 

P r l,«i [ 1 i+l = r A BAD i+ i J 
We want to argue this quantity does not depend on (k\, k 2 ). Look first at the fraction. The value of 
the numerator is given by the induction hypothesis and in particular does not depend on (k\,k 2 ). 
The value of the denominator obviously does not depend on (ki,k 2 ) since that quantity appears 
nowhere in it. Thus, what is left is to show that 

Pr Mi [T i+ i=r A BAD m | (kl,k* 2 ) = (ki,k 2 )] (4) 
does not depend on (k\, k 2 ). 

Observe that the conjunction of the event BADj + i in the probability of Equation (||) is redundant: 
since we are conditioning on (k^k^) = (ki,k 2 ), and we know that (k±,k 2 ) £ RKP(fj + i), the 
conditioning already tells us that BADj + i will hold. In other words, 

Pr Ml [ T i+ i = t A BAD m | (kj,k|) = (h,k 2 )] = Pv liVi [ J i+1 = t | (kj.kl) = (h,k 2 )) . 

Now we consider separately the case where i + 1 is odd (meaning Tf+i = Qj+i and r = qi+i) and 
the case where i + 1 is even (meaning Tj + i = Ri+i and r = In the first case, note that 

the query made is determined only by (A and) the view V{, so the probability in question does 
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not depend on (fci, A^)- In the second case, we can apply Lemma 3.£ which gives the value of the 
above quantity for each (fei, A^) G RKP(wj+i), and, as we see from Lemma 3J5, that value does not 
depend on (fei,/^). This completes the proof of Claim 2. □ | 



Using the above lemma we can now prove Lemma 3J3 which (recall) states that Pri [ BADj ] 
Pr 2 [ BADj ] for all i G Mvs. 



Proof of Lemma |3.3| : The proof is by induction on i G Mvs. The base case is when % = 0. In 
this case, the current view v of the adversary, in either game, is empty, so that SKP(i>) = 0. Thus, 
both probabilities are zero. 

So, assume the lemma statement is true up to move i G Mvs where i < 2(q + 1). We will prove it 
for i + 1, namely we will show that 

Pri[BAD l+ i] = Pr 2 [BAD i+ i]. (5) 

We first consider the case where i + 1 is even, meaning the last move in v% is a query. We have 

Pr^fBADi+i] = Prj [BADj] + Pr^BADj+i I BADj ] . 

The first term is equal for j = 1 and 2 by induction, and Prj [ BADj + i | BADj ] = because i + 1 is 
even. 

To complete the induction we need to prove Equation (|5|) for the case where i + 1 is odd, meaning 
the last move in Vi is a reply. Let j G {1,2}. We can write 

Pr^fBADj+i] = Prj [ BADj ] + Prj-[BAD i+1 j BADj] . 

The first term is independent of j by the induction hypothesis. We will now argue that the second 
term is also independent of j. By conditioning we can write the second term as 

Prj [ BADj + i I BADj ] = >J P r j [ BAD t+i I BADj A View; = Vi] - Prj [ Viewj = V{ | BADj ] 

= Prj>, [BADj + i ] • P^ [ Viewj = v l \ BADj ] , 

* e ^ first term second term 



product term associated to V{ 

where Vj = {vi : Pr^ [ Viewj = Vi \ BADj ] > } is the set of possible views after move % in Game j. 

Let us first observe that V± = V2, namely the set of views for which the second term of the 
"product term associated to v" is positive is the same in both games. This is true by Lemma 3.2, 
which tells us that Prj [ Viewj = Vi \ BADj ] does not depend on j and hence in particular the values 
of v for which it is zero are the same for j = 1 and j = 2. 

Now let us set V = V% = V2 and compare the sums, term by term, in the cases j = 1 and j = 2. 
Fix a particular string u, G V and focus on the "product term associated to t>j." The second term 
in it is independent of j by Lemma 3^. We will show the same is true for the first term, which 
will complete the proof. (One needs to be a little careful. The first term is not well defined for just 
any v, only for m G Vj. That's why it was important, first, to restrict attention to these Vi values, 
and, second, to make sure that V\ = V%, since otherwise we would not be sure that we have shown 
equality for every term in the two sums.) 

So the remaining task is to consider Prj [ BADj + i | BADj A Viewj = Vi } for G V and show 
it does not depend on j. First note that RKP(fj) 7^ 0, because, RKP(uj) = would imply 
Prj [ Viewj = Vi I BADj ] = 0, and we have assumed the last to not be true. 
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Since the view Vi and the adversary are fixed, the next query gj + i is uniquely determined. Let 

NXP(«i, gj+ i) = RKP(^) - RKP(«i|| ft+ i) 

be the set of "new key pairs" that are "seen" by the (i + l)-th query. (This set is empty if the 
latter is an I?-query. It is also empty if it is an F or F^ 1 query with key with which A has already 
queried. If it is an F or F^ 1 query with key k with which A has not queried, then the set consists 
of pairs (k, k') and (k', k) where k' is any other key with which A has queried F or F~ l .) We claim 
that 

Prj [ BAD m | BAD; A View; = Vi ) = ' ( 6 ) 

for both j = 1 and j = 2. Note the fraction is well defined, in that the denominator is not zero, 
because RKP(uj) is non-empty. 



Equation (|6D follows from Lemma |3.9| . This tells us that from the point of view of the adversary, 
all remaining key pairs remain equally likely, in either game. | 
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A Best attack: Meet in the middle 



In this section we will show the following: 



Lemma A.l For any k, n > 1, any 1 < s < q < 2" , and any t > 2s, there is an adversary A 
such that 

t 2 ( 1 1 
Adv/i(Dbl, k, n) > — K ■ ( -= -. — -r 

We can now optimize the value of s and obtain the following theorem which says that the bound 
of Theorem 3.1 is essentially tight: 

Theorem A. 2 For any n, n > 1, let s = \(2k + l)/(n — 1)] . TJien for any t >2s and s < q < 2 n ~ 1 
it is the case that 

1 t 2 

Sec(Dbl, K,n,q,t) > . 

Proof: The choice of s guarantees that 2 2k+1 < 2^-^. This means that 

1 1 



1 1 

2^ ~ 2 s ( n " 1 ) ~ 2 2^ ' 



Now apply Lemma A~l. | 



Notice that for typical block cipher parameters k, n, the value of s is very small. For example, for 
the DES parameters k = 56 and n = 64 we have s = [113/63] = 2. Thus the above lower bound 
of Theorem 



is in practice close to the upper bound of Theorem [3J 



Proof of Lemma |A.l 

advantage. 



The proof is by presenting an adversary A who achieves the claimed 
The adversary A plays a version of the meet-in-the-middle attack, but we need to 
adapt it slightly and then analyze it in our framework. It is convenient to let [N] = {1, 2, . . . , N} 
for any integer N > 1. The adversary proceeds as follows: 



For j ' = 1, . . . , s do 

Let Xj € {0, 1}™ be the j-th string in lexicographic order 
Compute yj = E(xj) 
Endfor 

Choose two disjoint sets K\ = { k\ t i : i £ [t/2s] } and K2 = { A^i : * £ [V^ s ] } of K-bit keys, 
each set being of size t/2s. (These might be chosen at random, but not necessarily). 
For i = l,.. .,t/2s do 
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For j = 1, . . . , s do Compute Uij = F{k\ ) i,Xj) and Vij = F 1 (/c2,j, Vj) Endfor 
Let Ui = (ui t i, . . . ,u i)S ) and Vi = (v it i, . . . ,v itS ) 
Endfor 

Let C = { (a, b) G [t/2s] x [t/2s] : u a = v b } 
If C ^ then return 1 else return 

We now analyze this attack. The first claim is that the cost is as claimed, meaning A makes at 
most q -E-queries and at most t F/F~ 1 queries. The first is true because s < q by assumption. 
The second is true because the number of calls to F/F^ 1 above is 2[(t/2s)s] = t. We now want to 
lower bound 

Adv^Dbl, k, n) = Succyi(Dbl, k, n) — Succyi(«;, n) . 

We will lower bound the first term and upper bound the second. Let Pr[ • ] denote the probability 
in the experiment underlying the definition of Succ^(Dbl, ft, n), and let kjk^ denote the randomly 
chosen 2k bit key in this experiment. Observe that if k\ € K\ and k\ G K2 then C is definitely 
non-empty. So 

Succ A (Dbl,K,n) > Pr[fc; € K x and k\ G K 2 ] = 

Now let Pr[-] denote the probability in the experiment underlying the definition of Succ^At, n), 
and observe that 

Succ4(K,ra) = Pr[C ^ 0] . 

For a fixed a, b G [t/2s] we have 

3=1 j 

The last inequality here is by the assumption that s < 2 n_1 . By the union bound we have 

Pr[C^0] < ^-777^. 

This completes the proof. I 



f t /2s 



1 t z 
4^2 2^ 



B Analysis of the two-key triple cipher 

The two-key triple cipher (namely, the construction underlying two- key triple DES) was defined in 
Section |2[ The same upper bound on the advantage of any adversary A attacking this cipher can 
be shown as for the double cipher: 



Theorem B.l For any K,n,q,t > 1 it is the case that 



t 



2 



Sec(Trp 2 , K,n,q,t) < 

Unlike the case of the double cipher, however, this bound is not tight, and we believe it can be 
improved by a better analysis. 

The proof of the theorem is obtained by adapting the proof of Theorem 3A. We will use 
essentially the same setup; we start by giving some new definitions and then continue by showing 
the necessary modifications for the proof in Section ^ so that it works also in the case of operator 
Trp 2 . large 
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Games, setup, random variables and event BADj. The experiment underlying Game 2 is the 
same as for the proof of Theorem |3,1| . The experiment underlying Game 1 is now the following: 

F <- BC(«, n) ; k\ <- {0, 1} K ; k* 2 <- {0, 1} K ; E <- o i^. 1 o F fc . , 

and the game is to just run A E,F,F 1 and reply to its oracle queries according to the functions 
E, F, F^ 1 chosen by the experiment. The setup and the random variables are defined exactly in 
the same way as before, with the understanding that when we mention E'-queries, in Game 1, we 
refer to a query to the cipher Fk* o F^} o F^* . Event BADj is formally defined exactly as before. 

Analysis. We observe that almost all lemmas in our previous analysis do not significantly depend 



on the construction we are analyzing. More precisely, we see that all lemmas but Lemma ^6 require 
no modification for both the statement and the proof to hold also in the case of the construction 
Trp 2 . So it remains to modify Lemma |3.6| so that it works also in the current case. Recall that such 



lemma is trying to show that the distribution of the next reply is independent of which game the 
adversary is in, and also of a fixed un-eliminated key pair. However, this can in fact be seen to still 
be true, because we are still looking at compositions of random permutations with one unknown. 
We omit the details. 

Lower BOUND. The standard meet in the middle attack for triple DES |j, |l2| can be put and 
analyzed in our model analogously to the way we did it above for the double cipher. The analysis 
indicates that our upper bound for the two-key triple cipher is tight (up to a constant factor) when 
q t, but not tight in general. We do not include the details of this analysis. 
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